Add Microsoft Identity Platform auth option to the Blazor Web App template #51202
Comments
mkArtakMSFT
added
enhancement
|
Thanks for contacting us. We're moving this issue to the |
|
Seeing this moved to .Net 9 is disappointing. Once again templates won't have a simple and functional way to have a working configuration with Azure ID/Entra, and the current status of the documentation for .Net 8 is also poor, since pages with the details shown for .Net 7 have been removed. |
Unless I'm missing something this is just the server rendering solution. It doesn't support the other render modes such as Auto. |
|
For now, it is the component with InterectiveServerRenderMode only. For Auto, you need to add code to the Client project. Something like this https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-azure-active-directory-b2c?view=aspnetcore-7.0 |
|
I guess the question is how we cover both scenarios that may happen when using auto: the first access is server-side Blazor, the following accesses should be WASM, so the auth workflow changes depending on the render mode or am I missing anything? |
|
Very disappointing not to see this in .NET 8 given it's an LTS. |
This is the kind of guidance I am missing as well @danroth27 |
That's correct although the the transfer to WASM could be at any point and in an advanced scenario it may even go back. I think it needs keeping in sync between the two modes using something like the PersistingRevalidatingAuthenticationStateProvider implemented in the template. I did notice the HttpClient call for the Weather was also removed from the templates #51204. I suspect this was for similar reasons. The HttpClient could be called from Client (WASM) or Server (which is a little wasteful) so you need to register HttpClient on both. Then when you add Authentication and Authorization you have to keep them in sync without using the HttpContext on the server. I know there is the alternative of two implementations of a weather service one for Client and one for Server but code wise that isn't ideal if you are migrating from WASM with WebAPI backend and looking to quickly get the benefits of Auto mode. It doesn't appear trivial to implement authentication and authorization that works in Auto mode and the templates have neglected to demonstrate it. Essentially anyone using any kind of Auth (most projects?) or HttpClient can't automatically move to Auto mode. If the templates won't be updated soon, some example projects with Authentication and Authorization scenarios would be great. Ideally I would ideally like to see a Microsoft Identity (Entra) login that works in Auto mode and can make HttpClient calls from Client or Server to an APi using authorization. Additionally it would be great if the project demonstrated adding additional claims in code and [AllowAnonymous] attribute applied on some pages. Some changes appear to have happened around AllowAnonymous to make this work? |
|
@peterthorpe81 if you look at what happens in the new blazor web app when auto and identity with local user accounts are used, you'll see that the server app manages all the authentication work, and the client (wasm) synchronizes the authentication state with the server app. Following this logic, auth in auto mode with Microsoft Identity Platform may be done following a similar logic. 🤔 |
Yes this is what I have been looking at but I don't seem to be able to get a config that works in both render modes. I think one of the differences is that local accounts are authenticated within your site using the scaffolded pages. Microsoft Identify Platform is going out to an external site so the redirect loses the state. |
|
@peterthorpe81 agreed. One less than ideal way is to have the server authenticate with AD, then store the information in the cookie to pass it to the client, but that means the SPA workflow of AD is ignored entirely also when in WASM mode, which I do not think is a great solution. |
|
I think if we can get a template for just Interactive Server Per Page/Component, that would be great for now. |
Interactive server should have not changed (see the old template). It is just a web app. Similarly, setting up a hosted WASM web-app. The main difference is when using auto mode (but after a few tests, it seems also in this case changes may not be too deep). |
The key point from my perspective, is that the "old" template only allows choosing .NET 6/7. If one wants to remain on a "supported" version, the only option seems to be to go through the upgrade steps involved ... which is just nowhere near as simple as it has been for previous releases. Further, Visual Studio IntelliSense is breaking when using newer razor components. I've submitted a separate issue via VS for that. |
|
This issue really breaks Blazor quite a bit for me. |
|
I agree that this is a must have. I've been struggling with this. |
|
Switched from ASP.NET Identity to Microsoft Identity because of Duende debacle. Now switching back lol, hope my users don't complain too much. I watched the dotnet conf, I don't think it was made clear enough to me that Asp.net Identity no longer depends on Duende? |
|
Considering that this was broken with an LTS release (.NET8), extremely disappointing that it's not going to be addressed in the next interim release. Just add back in the server-side Blazor template, please. It makes less sense to force people needing this workflow to start new projects with a .NET7 template, then upgrade it. Would really like a feature stable release that is not going to completely abandon supported templates. At the least, provide Microsoft "approved" and "supported" documentation for a secure alternative. To be clear: I don't care about samples and workarounds on other repositories. If it's not in the official templates, I'm not going to use it. |
|
https://www.roundthecode.com/ has many blazor tutorials, and the author also has some Linked-In Courses. Also, I just tried creating a .NET 6 Blazor Server App and the tooling is broken now for the .NET 6 template. I do have a workaround if anyone is interested. |
|
@marqdouj and @shoffma1 There are samples for Net 8 in the blazor-samples repository: https://github.com/dotnet/blazor-samples/tree/main/8.0 Some info about them is in the README here: https://github.com/dotnet/blazor-samples/tree/main |
|
Hi, We deeply appreciate your input and recognize the importance of having a consistent, correct, and simple way to integrate Microsoft Entra with your web apps. I opened a request to add Microsoft Entra to the new scaffold tool today and will follow up personally with the team to understand what's feasible in the .NET 9 timeframe. We are also still tracking and actively working on the docs samples and guidance. For those of you who really want a template experience, if you could simply type something like |
|
[like] Louise Newell reacted to your message:
…________________________________
From: Jeremy Likness ***@***.***>
Sent: Wednesday, July 24, 2024 8:50:51 PM
To: dotnet/aspnetcore ***@***.***>
Cc: Louise Newell ***@***.***>; Comment ***@***.***>
Subject: Re: [dotnet/aspnetcore] Add Microsoft Identity Platform auth option to the Blazor Web App template (Issue #51202)
Hi,
We deeply appreciate your input and recognize the importance of having a consistent, correct, and simple way to integrate Microsoft Entra with your web apps. I opened a request to add Microsoft Entra<dotnet/Scaffolding#2890> to the new scaffold tool today and will follow up personally with the team to understand what's feasible in the .NET 9 timeframe. We are also still tracking and actively working on the docs samples and guidance<dotnet/AspNetCore.Docs#29452>.
For those of you who really want a template experience, if you could simply type something like dotnet scaffold up (not committing to this as the exact solution, just brainstorming) after creating a project from a template, would that work? It would be essentially like a command line version of the connected services experience. If it's not a solution you can work with, please share the details behind why so I can review them with our team as we prioritize. Thank you.
—
Reply to this email directly, view it on GitHub<#51202 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDMU7MFDYS2L5DUUHTPCIXTZOAHSXAVCNFSM6AAAAAA5XEZFZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBYHA3TIOBXG4>.
You are receiving this because you commented.Message ID: ***@***.***>
'This email and any files transmitted with it are confidential and for the use of the individual or entity to whom they are addressed. If you are not the intended recipient be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is prohibited' - EKC Group
|
I think this would be fine. Anything you can do to make the process less about discovering documentation, while also maintaining consistency for that process to scaffold a new app, going forward with later releases, would be great. Thank you for hearing us and responding. |
Or even any OpenID Connect / OAuth based and standards compliant authentication and token system... |
|
@JeremyLikness Thanks for your proposal! I think the CLI tool would help. Having a working Entra setup is important to quickly get up to speed with a simple but workable starting point, where with workable I mean that one does not need to write from scratch the barebone parts to make a functional API call 😇. I'd be happy to test. |
|
Hi. I also wanted to use B2C with a Blazor Web App using auto. I guess I'll have to just start from the .NET 7 template and use Blazor Server. I can't keep wasting time on this. It would be great if Microsoft could release a template for this soon. Thanks. |
|
@MarkEvans8 there has been an unofficial template for a while now: https://github.com/dotnet/blazor-samples/tree/main/8.0/BlazorWebAppOidc This sample uses OIDC, but with minor changes, you can use Microsoft.Identity.Web. Let me know and I can share more details if needed. P.S. If you can use Entra External Identities instead of AD B2C, you'll likely save yourself headaches (at least that is my experience). |
|
Hi @AlbertoPa It's very nice of you to send me this advice. Maybe I could explain a bit about my project and see what you think? I'm building a simple consumer app with a Blazor website and Maui Blazor Hybrid mobile app for Android and iOS. I'm sharing all the Blazor UI components so I only need to write this stuff once. The data comes from a secure API. Everything is hosted on Azure. I want to allow users so either sign up using an email and password or else use Google or Facebook. It would be nice if I didn't have to make login forms and store user information in my database. I've managed to get most of this working using AD B2C. I haven't been able to get a Blazor Web App working on auto render mode though. I don't know anything about OIDC or Entra External Identities. I would like to use the latest versions of everything. I don't want to use any older systems or frameworks. Now that I have explained my requirements, what do you think is the easiest way to achieve this? Should I download this GitHub example and attempt to use it with Entra External Identities? I'm not an expert on any of this, and I'm worried that I could waste weeks trying to figure this out unless there is detailed documentation and examples that can lead me through it. Thanks. |
|
Entra External Identities is just the new AD for external identities (B2B and B2C). If you used B2C, this is the reference https://learn.microsoft.com/en-us/entra/external-id/customers/ The advantage is that the portal is easier to use and some of the challenges of AD B2C have been addressed (easier branding, setting up claims, etc.) For the app, follow the strategy you see in the template where you see there is a PersistingAuthenticationStateProvider in the server app and a PersistentAuthenticationStateProvider in the client app). The idea is that the app talks to Entra and then uses cookies (not tokens) to store the authentication info. OIDC is the protocol, and Entra can use it. The template uses it in order not to rely on a specific library. If you don't like to manually set all those details in the template, you can use the Microsoft Identity Library (it is mentioned in one of the comments). in your Program.cs for the server app. You will need to set up how to call a downstream API if it is separate from the server app. I do not think there is anything more detailed than the sample app above (and the Entra documentation will definitely take time to be digested). |
|
@AlbertoPa since you brought it up: is Entra External ID really ready for B2C, i.e., does it offer what Azure B2C offers regarding:
Because only ~8 weeks ago, I was explicitly encouraged by Microsoft's paid (!) support, i.e., its partner company Even more so, the ticket I created - for which we had to pay another 30 bucks ("Developer Plan upgrade", just to tell Microsoft about a potential bug in their "custom policies" framework) - requires attempt after attempt of workarounds, but didn't succeed for a single item at least one single time. Sorry for the emotional response - I do know none of that is your fault at all. But seeing people talking about Entra like it can be used as replacement instead of Azure B2C, yet the "official" support stating otherwise, drove me nuts.. 🙈😅 |
|
@Eagle3386 you will have to check the documentation for the details, but:
I started using external tenants some time ago out of frustration with AD B2C to achieve even the most basic task, I have no idea why they are recommending AD B2C with its convoluted custom policies: it may be specific to your use case, but for my case (a BFF app and a server-side Blazor app, both of which use custom API connectors), it has been easier to use and has been working fine. |
|
@AlbertoPa does it handle Multi-Tenant Microsoft Entra accounts? This is the one issue that required me to use the "Azure B2C with custom policies" route. |
|
@ADefWebserver Look up how to do that through Microsoft Partner ID. When you’ve done it - then you get a little blue icon showing you’ve been validated by MS. |
So, you were exactly in my current position (regarding the frustration, that is) - good, at least for me. 😅 But since you're also going the BFF-route: my case is a Blazor WASM standalone app, communicating (excl. MSAL which handles sign-ins without our backend) with the BFF which deals with all authentication & authorization stuff regarding calls to all other backend micro-services - effectively freeing those of doing all that auth stuff over & over again. |
|
@Eagle3386 if I understand your case correctly, yes. The type of apps you can register and the interaction with the external tenants are more or less the same you can have in b2c (API connectors are different and a bit easier to deal with). I don't follow what "there is no externally accessible system" means though, in your second statement. Does it refer to the API-BFF only? |
|
@AlbertoPa Since there's no API connector (we're using Azure B2C / would use Entra External ID only for authenticating users & authorization via claims, e.g., email, customer ID, name, roles) & then we're redirecting back to our internal systems - even in case of the "API-BFF", which brings me to your question. What I meant was: there's only the Blazor WASM app's BFF which is externally accessible right now, but there are plans for a future "API-BFF", serving as endpoint for partners using our data/services & those will be required to authenticate via Azure B2C / Entra External ID as well (probably via device code instead of personal access tokens as those are services, not actual persons 😉). |
|
@Eagle3386 I asked about API connectors because those are used in B2C to enrich the token with custom claims. That said, it would seem that shifting from B2C to an Entra external tenant is feasible (assuming you can configure your external providers as you need. I do not see Apple being supported at the moment, for example). |
|
@AlbertoPa I see, thanks for the clarification. Since you brought custom claims up: I thought that those could be added on-premise, i.e., after sign-in, the Blazor WASM app passes the token to the BFF which validates it & if authentic, adds claims as required - or does such enrichment explicitly require the configuration as an API connector in Entra & exposing an endpoint of our service to Azure/Entra for that? 🤔 Sorry for the confusing, but that's not really explained well within the docs, hence my questions.. |
|
@Eagle3386 that is precisely what the "token issuance start" event for an API connector does: https://learn.microsoft.com/en-us/entra/external-id/customers/concept-custom-extensions#token-issuance-start-event. And because keeping the same name would have been too simple (😂), you now must pay attention the fact that "API connectors" and "custom authentication extensions" are the same thing. See here for an overview: https://learn.microsoft.com/en-us/entra/identity-platform/custom-extension-overview?context=%2Fentra%2Fexternal-id%2Fcustomers%2Fcontext%2Fcustomers-context |
|
I created Blazor Web App sample that uses Microsoft.Identity.Web to connect to Entra/Azure AD B2C. You can take a look at dotnet/blazor-samples#355. Eventually, we plan to turn this into something you can scaffold in VS. Feel free to add feedback on the PR if you have any. |
|
We think the way we're going to do this is to base this experience on the new dotnet scaffolder experience, so that once the Blazor Web App project is created, the Auth scaffolding experience kicks-off automatically. |
|
Sounds promising 👌🏻
On 30 Oct 2024, at 18:58, Artak ***@***.***> wrote:
This email was sent to you by someone outside the University.
You should only click on links or attachments if you are certain that the email is genuine and the content is safe.
We think the way we're going to do this is to base this experience on the new dotnet scaffolder experience, so that once the Blazor Web App project is created, the Auth scaffolding experience kicks-off automatically.
@vijayrkn<https://github.com/vijayrkn> let's discuss the details and build the plan for how we can make this work and in which timeframes.
—
Reply to this email directly, view it on GitHub<#51202 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AYPH367EHYKWXK2MDY4NPZDZ6ET5PAVCNFSM6AAAAAA5XEZFZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINBYGA4TMMZWGA>.
You are receiving this because you commented.Message ID: ***@***.***>
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. Is e buidheann carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba, àireamh clàraidh SC005336.
|
|
Since .NET 9 is out, any update on this guys? |
and others
We don't currently support the Microsoft Identity Platform auth option with the Blazor Web App template. We should add it.
The text was updated successfully, but these errors were encountered: